Kaseya is an IT solution-oriented Ireland(Dublin) based development company that provides services to Managed Service Providers and enterprise clients. Its US headquarter is in Miami, Florida, also its vendors exist in 10 countries. Over 40,000 organizations worldwide use at least one Kaseya software solution.

 

The company became the victim of a cyberattack on July 2. The attackers have successfully executed a supply chain attack by exploiting a vulnerability in Kaseya’s VSA software against their multiple managed service providers and their clients.

 

Note: Kaseya’s VSA is software that helps you boost efficiency through IT automation and workflows. Also, helps you to manage endpoints remotely.

 

How did it all happen?

 

FBI described that this attack happened by leveraging a vulnerability in Kaseya VSA software against multiple MSP and their customers.

 

The Huntress Lab at first tracked 20 MSPs who were involved in the breach and marked them with “HIGH CONFIDENCE”. They stated that this attack was triggered via an authentication bypass vulnerability in the Kaseya VSA web interface.

Posted by The Huntress Lab

 

POC Video by The Huntress Lab: Authentication Bypass, Arbitrary File Upload and Command Injection

According to the DFIR team, the attack allowed attackers to bypass authentication controls and gain authenticated sessions. Then achieving code execution in that process by uploading malicious payload and execute commands via SQL injection. After that, the threat actors pushed ransomware via a fake automated and malicious software updated using Kaseya VSA dubbed “Kaseya VSA Agent Hot-Fix” to their MSP client customers – and the update actually contains REvil ransomware. The team is also investigating an AWS IP that may have been used for launching the attack against the server.

 

What happened after the attack?

 

After the attack came into the light than the Kaseya took two steps  to prevent the attack & spread of the ransomware:

  • They sent notifications to on-premises customers to shut down their VSA servers
  • They shut down all VSA SaaS(Software as a Service)  infrastructure

 

The firm confirms that zero-day exploit vulnerabilities were used to exploit by the attackers.

 

What was the Impact?

 

As per the recent reports – over the weekend no SaaS customers were tagged as “never at risk” by Kaseya but the current estimation suggests that 40 on-premises clients have been the victim of the attack.

 

However, it is observed that a small number of Kaseya clients may have been directly affected as MSPs and SMB operated them.

 

According to the source report, approximately 800 coop supermarket chain stores in Sweden had to shut down temporarily because they were unable to open their cash registers.

 

Reddit Update by Huntress Lab Researcher

 

As per the latest report the number of vulnerable Kaseya servers visible, online and open to attackers reduced by 95% [from 1500 to 60] on July 2 to July 8 – stated by Palo Alto Networks.

 

Leave a Reply